## AFWall+ additional firewall rules
## Mike Kuketz
## www.kuketz-blog.de


IPTABLES=/system/bin/iptables
IP6TABLES=/system/bin/ip6tables 

# All 'afwall' chains/rules gets flushed automatically, before the custom script is executed

# Flush/Purge all rules expect OUTPUT (quits with error)
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IP6TABLES -F INPUT
$IP6TABLES -F FORWARD
$IP6TABLES -t nat -F
$IP6TABLES -t mangle -F

# Flush/Purge all chains 
$IPTABLES -X 
$IPTABLES -t nat -X 
$IPTABLES -t mangle -X 
$IP6TABLES -X 
$IP6TABLES -t nat -X 
$IP6TABLES -t mangle -X

# Default deny connections

$IP6TABLES -P INPUT DROP  
$IP6TABLES -P FORWARD DROP  
$IP6TABLES -P OUTPUT DROP

$IPTABLES -P INPUT DROP  
$IPTABLES -P FORWARD DROP  
$IPTABLES -P OUTPUT DROP

####################
# Tweaks           #
####################
## Kernel
# Disable IPv6
echo 0 > /proc/sys/net/ipv6/conf/wlan0/accept_ra
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
# Privacy IPv6 Address
echo 2 > /proc/sys/net/ipv6/conf/all/use_tempaddr
echo 2 > /proc/sys/net/ipv6/conf/default/use_tempaddr

# Allow loopback interface lo 
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A "afwall" -o lo -j ACCEPT

##################### # Incoming Traffic # ##################### 

# Allow ICMP packets
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT

# Allow all traffic from an established #connection 
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Alle Pakete ordentlich zurückweisen
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -j REJECT --reject-with icmp-port-unreachable

